prevent sending magic link if email not allowed

nicktrn · nicktrn · commit 04c36011c61a · 2025-05-21T20:51:05.000+01:00
diff --git a/apps/webapp/app/models/user.server.ts b/apps/webapp/app/models/user.server.ts
@@ -7,7 +7,7 @@ import {
   getDashboardPreferences,
 } from "~/services/dashboardPreferences.server";
 export type { User } from "@trigger.dev/database";
-
+import { assertEmailAllowed } from "~/utils/email";
 type FindOrCreateMagicLink = {
   authenticationMethod: "MAGIC_LINK";
   email: string;
@@ -41,9 +41,7 @@ export async function findOrCreateUser(input: FindOrCreateUser): Promise<LoggedI
 export async function findOrCreateMagicLinkUser({
   email,
 }: FindOrCreateMagicLink): Promise<LoggedInUser> {
-  if (env.WHITELISTED_EMAILS && !new RegExp(env.WHITELISTED_EMAILS).test(email)) {
-    throw new Error("This email is unauthorized");
-  }
+  assertEmailAllowed(email);
 
   const existingUser = await prisma.user.findFirst({
     where: {
@@ -79,9 +77,7 @@ export async function findOrCreateGithubUser({
   authenticationProfile,
   authenticationExtraParams,
 }: FindOrCreateGithub): Promise<LoggedInUser> {
-  if (env.WHITELISTED_EMAILS && !new RegExp(env.WHITELISTED_EMAILS).test(email)) {
-    throw new Error("This email is unauthorized");
-  }
+  assertEmailAllowed(email);
 
   const name = authenticationProfile._json.name;
   let avatarUrl: string | undefined = undefined;
diff --git a/apps/webapp/app/services/email.server.ts b/apps/webapp/app/services/email.server.ts
@@ -3,11 +3,11 @@ import { EmailClient, MailTransportOptions } from "emails";
 import type { SendEmailOptions } from "remix-auth-email-link";
 import { redirect } from "remix-typedjson";
 import { env } from "~/env.server";
-import type { User } from "~/models/user.server";
 import type { AuthUser } from "./authUser";
 import { workerQueue } from "./worker.server";
 import { logger } from "./logger.server";
 import { singleton } from "~/utils/singleton";
+import { assertEmailAllowed } from "~/utils/email";
 
 const client = singleton(
   "email-client",
@@ -66,6 +66,8 @@ function buildTransportOptions(alerts?: boolean): MailTransportOptions {
 }
 
 export async function sendMagicLinkEmail(options: SendEmailOptions<AuthUser>): Promise<void> {
+  assertEmailAllowed(options.emailAddress);
+
   // Auto redirect when in development mode
   if (env.NODE_ENV === "development") {
     throw redirect(options.magicLink);
diff --git a/apps/webapp/app/utils/email.ts b/apps/webapp/app/utils/email.ts
@@ -0,0 +1,13 @@
+import { env } from "~/env.server";
+
+export function assertEmailAllowed(email: string) {
+  if (!env.WHITELISTED_EMAILS) {
+    return;
+  }
+
+  const regexp = new RegExp(env.WHITELISTED_EMAILS);
+
+  if (!regexp.test(email)) {
+    throw new Error("This email is unauthorized");
+  }
+}
